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Abstract. In Apt and Bezem |AB99| we provided a computational in- 



terpretation of first-order formulas over arbitrary interpretations. Here 
we complement this work by introducing a denotational semantics for 
first-order logic. Additionally, by allowing an assignment of a non-ground 
term to a variable we introduce in this framework logical variables. 
The semantics combines a number of well-known ideas from the areas of 
semantics of imperative programming languages and logic programming. 
In the resulting computational view conjunction corresponds to sequen- 
tial composition, disjunction to "don't know" nondeterminism, existen- 
tial quantification to declaration of a local variable, and negation to the 
"negation as finite failure" rule. The soundness result shows correctness 
of the semantics with respect to the notion of truth. The proof resembles 
in some aspects the proof of the soundness of the SLDNF-resolution. 



1 Introduction 
Background 

To explain properly the motivation for the work here discussed we need to go 
back to the roots of logic programming and constraint logic programming. Logic 



programming grew out of the seminal work of Robinson [Rob65| on the resolu 



Hon method and the unification method. First, Kowalski and Kuehner |KK71| 



introduced a limited form of resolution, called linear resolution. Then Kowalski 



[Kow74] proposed what we now call SLD-resolution. The SLD-resolution is both 
a restriction and an extension of the resolution method. Namely, the clauses are 
restricted to Horn clauses. However, in the course of the resolution process a 
substitution is generated that can be viewed as a result of a computation. Right 
from the outset the SLD-resolution became then a crucial example of the com- 
putation as deduction paradigm according to which the computation process is 
identified with a constructive proof of a formula (a query) from a set of axioms 
(a program) with the computation process yielding the witness (a substitution). 
This lineage of logic programming explains two of its relevant characteristics: 

1. the queries and clause bodies are limited to the conjunctions of atoms, 

2. the computation takes place (implicitly) over the domain of all ground terms 
of a given first-order language. 



The restriction in item 1. was gradually lifted and through the works of Clark 



[Cla78 and Lloyd and Topor |LT84] one eventually arrived at the possibility of 
using as queries and clause bodies arbitrary first-order formulas. This general 
syntax is for example available in the language Godel of Lloyd and Hill |HL94|. 

A way to overcome the restriction in item 2. was proposed in 1987 by Jaffar 
and Lassez in their influential CLP(X) scheme that led to constraint logic pro- 
gramming. In this proposal the computation takes place over an arbitrary inter- 
pretation and the queries and clause bodies can contain constraints, i.e., atomic 
formulas interpreted over the chosen interpretation. The unification mechanism 
is replaced by a more general process of constraint solving and the outcome of 
a computation is a sequence of constraints to which the original query reduces. 

This powerful idea was embodied since then in many constraint logic pro- 
gramming languages, starting with the CLP (1Z) language of Jaffar, Michaylov, 
Stuckey, and Yap |JMSY92| in which linear constraints over reals were allowed, 
and the CHIP language of Dincbas et al. |DVS + 88" | in which linear constraints 



over finite domains, combined with constraint propagation, were introduced. A 



theoretical framework for CHIP was provided in van Hentenryck [ Vang 



This transition from logic programming to constraint logic programming in- 
troduced a new element. In the CLP(X) scheme the test for satisfiability of a se- 
quence of constraints was needed, while a proper account of the CHIP computing 
process required an introduction of constraint propagation into the framework. 
On some interpretations these procedures can be undecidable (the satisfiability 
test) or computationally expensive (the "ideal" constraint propagation). This 
explains why in the realized implementations some approximation of the former 
or limited instances of the latter were chosen for. 

So in both approaches the computation (i.e., the deduction) process needs 
to be parametrized by external procedures that for each specific interpretation 
have to be provided and implemented separately. In short, in both cases the 
computation process, while parametrized by the considered interpretation, also 
depends on the external procedures used. In conclusion: constraint logic pro- 
gramming did not provide a satisfactory answer to the question of how to lift 
the computation process of logic programming from the domain of all ground 
terms to an arbitrary interpretation without losing the property that this process 
is effective. 

Arbitrary interpretations are important since they represent a declarative 
counterpart of data types. In practical situations the selected interpretations 
would admit sorts that would correspond to the data types chosen by the user 
for the application at hand, say terms, integers, reals and/or lists, each with the 
usual operations available. It is useful to contrast this view with the one taken 
in typed versions of logic programming languages. For example, in the case 
of the Godel language (polymorphic) types are provided and are modeled by 
(polymorphic) sorts in the underlying theoretic model. However, in this model 
the computation still implicitly takes place over one fixed domain, that of all 
ground terms partitioned into sorts. This domain properly captures the built- 
in types but does not provide an account of user defined types. Moreover, in 
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this approach different (i.e., not uniform) interpretation of equality for different 
types is needed, a feature present in the language but not accounted for in the 
theoretical model. 



Formulas as Programs 

The above considerations motivated our work on a computational interpretation 
of first-order formulas over arbitrary interpretations reported in Apt and Bezem 



[A.B99]. This allowed us to view first-order formulas as executable programs. 
That is why we called this approach formulas as programs. In our approach the 
computation process is a search of a satisfying valuation for the formula in ques- 
tion. Because the problem of finding such a valuation is in general undecidable, 
we had to introduce the possibility of partial answers, modeled by an existence 
of run-time errors. 

This ability to compute over arbitrary interpretations allowed us to extend 
the computation as deduction paradigm to arbitrary interpretations. We noted 
already that the SLD-resolution is both a restriction and an extension of the res- 
olution method. In turn, the formulas as programs approach is both a restriction 
and an extension of the logic programming. Namely, the unification process is 
limited to an extremely simple form of matching involving variables and ground 
terms only. However, the computation process now takes place over an arbitrary 
structure and full-first order syntax is adopted. 

The formulas as programs a pproach t o programming has been realized in the 



programming language Alma-0 | ABPS98| that extends imperative programming 



by features that support declarative programming. In fact, the work reported in 



Apt and Bezem | AB99 provided logical underpinnings for a fragment of Alma-0 
that does not include destructive assignment or recursive procedures and allowed 
us to reason about non-trivial programs written in this fragment. 



Rationale for This Paper 



The computational interpretation provided in Apt and Bezem [AB99] can be 
viewed as an operational semantics of first-order logic. The history of semantics of 
programming languages has taught us that to better understand the underlying 
principles it is beneficial to abstract from the details o f the o perational semantics. 
This view was put forward by Scott and Strachey [SS71| in their proposal of 
denotational semantics of programming languages according to which, given a 
programming language, the meaning of each program is a mathematical function 
of the meanings of its direct constituents. 



The aim of this paper is to complement the work of [AB9E] by providing a 
denotational semantics of first-order formulas. This semantics combines a num- 
ber of ideas realized in the areas of (nondeterministic) imperative programming 
languages and the field of logic programming. It formalizes a view according to 
which conjunction can be seen as sequential composition, disjunction as "don't 
know" nondeterminism, existential quantification as declaration of a local vari- 
able, and it relates negation to the "negation as finite failure" rule. 
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The main result is that the denotational semantics is sound with respect 
to the truth definition. The proof is reminiscent in some aspects of the proof 
of the soundness of the SLDNF-resolution of Clarke | Cla78 ] . The semantics of 
equations allows matching involving variables and non-ground terms, a feature 
not present in [ AB99[ and in Alma-0. This facility introduces logical variables in 
this framework but also creates a number of difficulties in the soundness proof 
because bindings to local variables can now be created. 

First-order logic is obviously a too limited formalism for programming. In 
[AB99] we discussed a number of extensions that are convenient for program- 
ming purposes, to wit sorts (i.e., types), arrays, bounded quantification and 
non-recursive procedures. This leads to a very expressive and easy to program 
in subset of Alma-0. We do not envisage any problems in incorporating these 
features into the denotational semantics here provided. A major problem is how 
to deal with recursion. 

The plan of the paper is as follows. In the next section we discuss the dif- 
ficulties encountered when solving arbitrary equations over algebras. Then, in 
Section ^ we provide a semantics of equations and in Section |] we extend it to 
the case of first-order formulas interpreted over an arbitrary interpretation. The 
resulting semantics is denotational in style. In Section |^ we relate this semantics 
to the notion of truth by establishing a soundness result. In Section ^ we draw 
conclusions and suggest some directions for future work. 



2 Solving Equations over Algebras 

Consider some fixed, but arbitrary, language of terms L and a fixed, but arbitrary 
algebra J for it (sometimes called a pre-interpretation) . A typical example is the 
language defining arithmetic expressions and its standard interpretation over the 
domain of integers. 

We are interested in solving equations of the form s — t over an algebra, that 
is, we seek an instantiation of the variables occurring in s and t that makes this 
equation true when interpreted over J . By varying L and J we obtain a whole 
array of specific decision problems that sometimes can be solved efficiently, like 
the unification problem or the problem of solving linear equations over reals, and 
sometimes are undecidable, like the problem of solving Diophantine equations. 

Our intention is to use equations as a means to assign values to variables. 
Consequently, we wish to find a natural, general, situation for which the problem 
of determining whether an equation s = t has a solution in a given algebra is 
decidable, and to exhibit a "most general solution" , if one exists. By using most 
general solutions we do not lose any specific solution. 

This problem cannot be properly dealt with in full generality. Take for exam- 
ple the polynomial equations over integers. Then the equation x 2 — 3x + 2 = 
has two solutions, {x/1} and {x/2}, and none is "more general" than the other 
under any reasonable definition of a solution being more general than another. 

In fact, given an arbitrary interpretation, the only case that seems to be of 
any use is that of comparing a variable and an arbitrary term. This brings us to 
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equations of the form x = t, where x does not occur in t. Such an equation has 
obviously a most general solution, namely the instantiation {x/t}. 

A dual problem is that of finding when an equation s = t has no solution in 
a given algebra. Of course, non-unifiability is not a rescue here: just consider the 
already mentioned equation x 2 — 3x + 2 = the sides of which do not unify. 

Again, the only realistic situation seems to be when both terms are ground 
and their values in the considered algebra are different. This brings us to equa- 
tions s = t both sides of which are ground terms. 

3 Semantics of Equations 

After these preliminary considerations we introduce specific "hybrid" objects in 
which we mix the syntax and semantics. 

Definition 1. Consider a language of terms L and an algebra J for it. Given 
a function symbol f we denote by fj the interpretation of f in J. 

— Consider a term of L in which we replace some of the variables by the ele- 
ments of the domain D. We call the resulting object a generalized term. 

— Given a generalized term t we define its J'-evaluation as follows: 

• replace each constant occuring in t by its value in J , 

• repeatedly replace each sub-object of the form f(d\, . . .,d n ) where f is a 
function symbol and d\ , . . ., d n are the elements of the domain D by the 
element f j (di, .. .,d n ) of D. 

We call the resulting generalized term a j7-term and denote it by \t\j. Note 
that if t is ground, then is an element of the domain of J . 

— By a ^-substitution we mean a finite mapping from variables to J -terms 
which assigns to each variable x in its domain a J -term different from x. 
We write it as {xi/hi, . . . ,x n /h n }. □ 

The ^-substitutions generalize both the usual substitutions and the valu- 
ations, which assign domain values to variables. By adding to the language L 
constants for each domain element and for each ground term we can reduce the 
^-substitutions to the substitutions. We preferred not to do this to keep the 
notation simple. 

In what follows we denote the empty ^-substitution by e and arbitrary J- 
substitutions by 9, 77, 7 with possible subscripts. 

A more intuitive way of introducing J'-terms is as follows. Each ground term 
of s of L evaluates to a unique value in J . Given a generalized term t replace 
each maximal ground subterm of t by its value in J. The outcome is the J'-term 

We define the notion of an application of a ^-substitution 9 to a generalized 
term t in the standard way and denote it by t6. If t is a term, then tO does not 
have to be a term, though it is a generalized term. 
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Definition 2. 

— A composition of two ^-substitutions 9 and ij, written as Qr\, is defined as 
the unique J -substitution 7 such that for each variable x 

X1 = \{x6)rj\j. 

□ 

Let us illustrate the introduced concepts by means of two examples. 

Example 1. Take an arbitrary language of terms L. The Herbrand algebra Her 
for L is defined as follows: 

— its domain is the set HU l of all ground terms of L (usually called the 
Herbrand universe), 

— if / is an n-ary function symbol in L, then its interpretation is the mapping 
from (HU l)" to HU l which maps the sequence t\, . . . ,t n of ground terms 
to the ground term f(t\, . . . , t n ). 

Consider now a term s. Then [s]#- er equals s because in Her every ground 
term evaluates to itself. So the notions of a term, a generalized term and a Her- 
term coincide. Consequently, the notions of substitutions and if er-substitutions 
coincide. □ 

Example 2. Take as the language of terms the language AE of arithmetic ex- 
pressions. Its binary function symbols are the usual • ("times"), + ("plus") and 
— ("minus"), and its unique binary symbol is — ("unary minus"). Further, for 
each integer k there is a constant k. 

As the algebra for AE we choose the standard algebra Int that consists of 
the set of integers with the function symbols interpreted in the standard way. In 
what follows we write the binary function symbols in the usual infix notation. 

Consider the term s = x+ (((3 + 2) • 4) - y). Then \s\ AE equals x + (20 - y). 
Further, given the AE-substitution 9 := {x/6 — z, y/3} we have s9 = (6 — 
z) + (((3 + 2) • 4) - 3) and consequently, ls8] AE = (6 - z) + 17. Further, given 
r\ := {z/4}, we have 9rj = {x/2, y/3, z/4}. □ 

To define the meaning of an equation over an algebra J we view ^-substi- 
tutions as states and use a special state 

— error, to indicate that it is not possible to determine effectively whether a 
solution to the equation s8 = t9 in J exists. 

We now define the semantics [•] of an equation between two generalized terms 
as follows: 

{#{s#/[t6>] j}} if s8 is a variable that does not occur in t9, 
{9{t9/ls9jj}} if t9 is a variable that does not occur in s9 

and s9 is not a variable, 
{9} if {s8J j and \t0\j are identical, 

if s8 and t9 are ground and \s6\j ^ \t6\j, 

{error} otherwise. 



\s = t\{9) := { 
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It will become clear in the next section why we collect here the unique out- 
come into a set and why we "carry" 9 in the answers. 

Note that according to the above definition we have \s = t\(6) = {error} 
for the non-ground generalized terms s9 and t9 such that the ^7-terms [s0]j- 
and \tff\j are different. In some situations we could safely assert then that 
\s = t\{9) = {8} or that [s = tj(8) = 0. For example, for the standard alge- 
bra Int for the language of arithmetic expressions we could safely assert that 
{x + x = 2- x}(6) = {6} and [x + 1 = x}(6) = for any ^-substitution 6. 

The reason we did not do this was that we wanted to ensure that the seman- 
tics is uniform and decidable so that it can be implemented. 

4 A Denotational Semantics for First-Order Logic 

Consider now a first-order language with equality C. In this section we extend 
the semantics [•] to arbitrary first-order formulas from C interpreted over an 
arbitrary interpretation. [•] depends on the considered interpretation but to 
keep the notation simple we do not indicate this dependence. This semantics 
is denotational in the sense that meaning of each formula is a mathematical 
function of the meanings of its direct constituents. 

Fix an interpretation I. I is based on some algebra J . We define the notion 
of an application of a ^-substitution 9 to a formula (j> of L, written as <j)6, in the 
usual way. 

Consider an atomic formula p(ti, . . -,t n ) and a ^-substitution 9. We denote 
by pj the interpretation of p in T. 
We say that 

- p(ti, . . .,t n )9 is true if p(t\, . . .,t n )6 is ground and ([iifl]^, ■ • •, pn^Jj-) € pi, 

- p(ti, . . .,t n )9 is false ifp(ii, . . .,t n )9 is ground and {{ti6\j, . . ., lt n 6jj) g pi- 

In what follows we denote by Subs the set of ./-substitutions and by V(A), 
for a set A, the set of all subsets of A. 

For a given formula (j> its semantics [</>] is a mapping 

: Subs -> V{Subs U {error}). 

The fact that the outcome of |0](0) is a set reflects the possibility of a 
nondeterminism here modeled by the disjunction. 

To simplify the definition we extend [•] to deal with subsets of SubsU {error} 
by putting 

[^)J(error) := {error}, 
and for a set X C Subs U {error} 

Ul(X) := |J [0]( e ). 
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Further, to deal with the existential quantifier, we introduce an operation 
DROP x , where £ is a variable. First we define DROP x on the elements of SubsU 
{error} by putting for a ^-substitution 9 



DROP x {9) 

and 



if x is not in the domain of 9, 
rj if 9 is of the form r\ W {x/s}, 



DROP x {error) := error. 



Then we extend it element-wise to subsets of Subs U {error}, that is, by 
putting for a set X C Subs U {error} 

DROP x (X) := {DROP x {e) \ e e X}. 

[•] is defined by structural induction as follows, where A is an atomic formula 
different from s = t: 

( {9} if A9 is true, 

- \A\ (9) := I if A6 is false, 

I {error} otherwise, that is if A9 is not ground, 

- [0x A chW) := 

- [0x VfoW) ■■= [0i](#)U[</> 2 ](0), 

f{0} ifM(0) = 0, 

- hfl (*)■•=< if0eM(0), 

I {error} otherwise, 

- pa; 0](6») := L>i?OP a ([0{x/y}](6»)), where y is a fresh variable. 

To better understand this definition let us consider some simple examples 
that refer to the algebras discussed in Examples [j] and |2[ 

Example 3. Take an interpretation X based on the Herbrand algebra Her. Then 

lf(x) = z A g(z) = g(f(x)M{x/g(y)}) = [g(z) = g(f(x))](0) = {9}, 
where 9 := {x/ g(y), z/ f(g(y))}. On the other hand 

[<?(/(*)) = g{z)l{{x/g{y)}) = {error}. 

□ 

Example 4- Take an interpretation X based on the standard algebra AE for the 
language of arithmetic expressions. Then 

\y = z - 1 A z = x + 2j({x/l}) = [z = x + 2j({x/l, y/z - 1}) = {x/1, y/2, z/3}. 
Further, 

[y + l = z- l]({y/l, z/3}) = {y/1, z/3} 
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and even 



[x-(y + l) = {v + l)-(z- l)j({x/v + 1, y/1, z/3}) = {x/v + 1, y/1, z/3}. 
On the other hand 

[y — 1 = z — = {error}. 

a 



The first example shows that the semantics given here is weaker than the 
one provided by the logic programming. In turn, the second example shows that 
our treatment of arithmetic expressions is more general than the one provided 
by Prolog. 

This definition of denotational semantics of first-order formulas combines a 
number of ideas put forward in the area of semantics of imperative programming 
languages and the field of logic programming. 

First, for an atomic formula A, when AO is ground, its meaning coincides with 
the meaning of a Boolean expression given in de Bakker |dB80, page 270]. In 
turn, the meaning of the conjunction and of the disjunction follows [dB80, page 
270] in the sense that the conjunction corresponds to the sequential composition 
operation ";" and the disjunction corresponds to the "don't know" nondeter- 
ministic choice, denoted there by U. 

Next, the meaning of the negation is inspired by its treatment in logic pro- 
gramming. To be more precise we need the following observations the proofs of 
which easily follow by structural induction. 



Note 1. 

(i) If T) G [</>](#), then rj = 9j for some ^-substitution 7. 

(ii) If 09 is ground, then [<g(0) C {9}. □ 

First, we interpret [</>](#) D Subs 7^ as the statement "the query <j>6 suc- 
ceeds". More specifically, if 77 G then by Note |l](i) for some 7 we have 
77 = 9-f. 

In general, 7 is of course not unique: take for example 9 := {x/0} and rj = 9. 
Then both rj = 9e and rj = 99. However, it is easy to show that if rj is less general 
than 9, then in the set {7 | rj = #7} the jT-substitution with the smallest domain 
is uniquely defined. In what follows given ^-substitutions 77 and 9 such that 77 is 
less general than 9, when writing 77 = #7 we always refer to this uniquely defined 
7- 

Now we interpret 9"f G as the statement "7 is the computed answer 

substitution for the query </>0" . In turn, we interpret [</>] (9) — as the statement 
"the query 4>9 finitely fails". 

Suppose now that [0] (9)P\Subs 7^ 0, which means that the query (j>9 succeeds. 
Assume additionally that (p9 is ground. Then by Note |l](ii) 9 G and 
consequently by the definition of the meaning of negation [ _| 0](6') = 0, which 
means that the query -«j)6 finitely fails. 
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In turn, suppose that [</>](#) = 0, which means that the query <p9 finitely 
fails. By the definition of the meaning of negation [— k^jJ (6 1 ) = {9}, which means 
that the query ->(j)9 succeeds with the empty computed answer substitution. 

This explains the relation with the "negation as finite failure" rule according 
to which for a ground query Q: 

— if Q succeeds, then -iQ finitely fails, 

— if Q finitely fails, then -^Q succeeds with the empty computed answer sub- 
stitution. 



In fact, our definition of the meaning of negation corresponds to a general- 
ization of the negation as finite failure rule already mentioned in Clark [Cla7£], 
according to which the requirement that Q is ground is dropped and the first 
item is replaced by: 



— if Q succeeds with the empty computed answer substitution, then -^Q finitely 
fails. 



Finally, the meaning of the existential quantification corresponds to the 
meani ng of the block statement in imperative languages, see, e.g., de Bakker 
[iB80, page 226], with the important difference that the local variable is not 
initialized. From this viewpoint the existential quantifier 3x corresponds to the 
declara tion of the local variable x. The DROP x operation was introduced in 
Clarke [Cla79] to deal with the declarations of local variables. 

We do not want to make the meaning of the formula 3a; <p dependent on 
the choice of y. Therefore we postulate that for any fresh variable y the set 
DROP y (l4>{x/y}](6)) is a meaning of 3x cf) given a /'-substitution 9. Conse- 
quently, the semantics of 3a; 4> has many outcomes, one for each choice of y. 
This "multiplicity" of meanings then extends to all formulas containing the ex- 
istential quantifier. So for example for any variable y different from x and z 
the /"-substitution {z/ f(y)} is the meaning of 3a; (z = /(a;)) given the empty 
/"-substitution e. 



5 Soundness 

To relate the introduced semantics to the notion of truth we first formalize the 
latter using the notion of a /"-substitution instead of the customary notion of a 
valuation. 

Consider a first-order language C with equality and an interpretation I for 
it based on some algebra J . Let 9 be a ./-substitution. We define the relation 
X \=g </> for a formula <j) by structural induction. First we assume that 9 is defined 
on all free variables of 4> and put 

— 1 1=0 s = t iff [s#] j and {t9Jj coincide, 

- 1\=B p(h, ■ ■ .,*„) iff p(h,- ■ -,t n )9 is ground and {\ti6\j, . . ., \t n &\j) 6 p x . 
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In other words, X \=$ p{t\, . . ., t n ) iSp(ti, . . ., t n )9 is true. The definition extends 
to non-atomic formulas in the standard way. 

Now assume that 9 is not defined on all free variables of <j). We put 

— X |=e </> iff X |=0 Vxi , . . ., Vx n (j) where x\, . . ., x n is the list of the free variables 
of <p that do not occur in the domain of 9. 

Finally, 

— X |= 4> iff X |=0 (j) for all J'-substitutions 9. 

To prove the main theorem we need the following notation. Given a J- 
substitution r/ := {xi/h\, . . . ,x n /h n } we define (rj) := x\ = h\ A ... A x n = 

In the discussion that follows the following simple observation will be useful. 
Note 2. For all J'-substitutions 9 and formulas <fr 

□ 

The following theorem now shows correctness of the introduced semantics 
with respect to the notion of truth. 

Theorem 1 (Soundness). 

Consider a first-order language C with equality and an interpretation X for 
it based on some algebra J . Let (f> be a formula of £ and 9 a J -substitution. 

(i) For each J -substitution n G 

X |=r, (j>- 

(ii) If error ^ \<j>\(0), then 

k 

i=l 

where \4>\{9) = {6*771, . . .,9rjk}, and fori G [l..fc] is a sequence of variables 
that appear in the range of r]i . 

Note that by (ii) if [<j>](0) = 0, then 

X he -0. 

In particular, if [</>](e) = 0, then 

X\=^. 
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Proof. The proof proceeds by simultaneous induction on the structure of the 
formulas. 

<fi is s = t. 

If 77 € then three possibilities arise. 

1. s9 is a variable that does not occur in tO. 

Then [s = tj{6) = {0 {sO / \t0\ j}} and consequently 77 = 9{s9/lt9]j}. So 
I \= v (s = t) holds since s-q = \tO\j and trj = tO. 

2. tO is a variable that does not occur in s9 and s9 is not a variable. 

Then [s = tj{9) = {0{tO/\sO\j}}. This case is symmetric to 1. 

3. \s9\j and \tff\j are identical. 

Then 77 = 9, so X \= v (s = t) holds. 

If error ^ |0](0), then four possibilities arise. 

1. s9 is a variable that does not occur in tO. 

Then [s = tj(9) = {9{s9 /{tOlj}}. We have X \= {s = t)9 «-> s9 = \tO\j. 

2. tO is a variable that does not occur in s9 and s9 is not a variable. 

Then [s = t]{9) = {0{tO/{sOj j}}. This case is symmetric to 1. 

3. [s0] j- and [tOJj are identical. 

Then [s = tj{0) = {9}. We have [s = tj(0) = {9e} and I \= e s = t, so 
X \= (s = t)9 <-> (e), since (e) is vacuously true. 

4. s9 and iff are ground j7-terms and \s9~\j ^ \tO\j. 

Then [s = = and I \=g ->(s = t), so X \= (s = t)0 <-> falsum, where 
falsum denotes the empty disjunction. 

4> is an atomic formula different from s = t. 

If 77 G then 77 = and 00 is true. So 2" \=g </>, i.e., X |= J; <p. 

If error g [0](0), then either [0](0) = {9} or [0](0) = 0. In both cases the 
argument is the same as in case 3. and 4. for the equality s = t. 

Note that in both cases we established a stronger form of (m) in which each 
list yi is empty, i.e., no quantification over the variables in yj appears. 

<j> is <f>x A 4>2- This is the most elaborate case. 

If 77 E [01(0), then for some J'-substitution 7 both 7 e [0i](0) and 77 £ 
[1^2] (7). By induction hypothesis both X |= 7 0i and 2~ |= r) 02 ■ But by Note |l](i) 
77 is less general than 7, so X \= n <fii and consequently X \= v <j>\ A 02- 

If error £ [0](0), then for some X C S'm&s both [0i](0) = X and error £ 
[0 2 ] (77) for all 77 GX. 

By induction hypothesis 

k 
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where X — {9rji, . . .,9rik} and for i G [l..fc] y^ is a sequence of variables that 
appear in the range of r\i . Hence 

k 

t h (0i a 2 )0^ S/pyiim) a 02^), 

i=l 

so by appropriate renaming of the variables in the sequences y, 

k 

I H (0i A 2 )0 \/ 3yi({Vi) A 2 0). 
i=l 

But for any j7-substitution 6 and a formula ■0 

I |= {5) A 70 <-> {5) A #, 

so 

I h (0i A 2 )0 «-► (\/ 3 yi((^) A 02%)- (1) 
»=i 

Further, we have for i S 

[0 2 ](0%) = {%7ij lie Ml} 

for some ^-substitutions 7^1, . . .,71,^. So 

[0! a 2 p) = {0^7,,, I * e [i-fc],i e [LA]}- 

By induction hypothesis we have for i S [l..fc] 

I h 020^ <-» V 3v i> j(7 iJ ), 
i=i 

where for i £ [l..k] and j e [1..^] Vij is a sequence of variables that appear in 
the range of 7^ . 

Using (|l]) by appropriate renaming of the variables in the sequences Vjj we 
now conclude that 

k i t 

I h (0i A 2 )0 ^ V V ly^AiVi) A (7i,i», 

»=lj'=l 

SO 

k U 

J h (0i A 2 )0 ^ V V 3 y^ 3v i.j(%7ij) 5 

since the domains of rji and 7ij are disjoint and for any ^-substitutions 7 and 
5 with disjoint domains we have 

I h (7) A (6) <- ( 7 J). 
13 



is 01 V 02- 

If r] G |0](#), then either 77 G [0i](#) or 77 G [02](#), so by induction hypoth- 
esis either 2 |= r) 0i or 2 |= r) 2 • In both cases 2 \= v 0i V 02 holds. 
If error ^ [0](#), then for some ^-substitutions jji, . . 

[0l](0) = {%,... ,0%}, 

where fe > 0, for some ./-substitutions ??fe+i, . . .,r\h+l, 

[0 2 ](0) ={6r ]k+1 ,...,6r 1k+i }, 

where I > 0, and 

[0! V 02](0) = {%,... ,0»7k+/}- 

By induction hypothesis both 

fe 

i=l 

and 

V 

i=fc+l 

for appropriate sequences of variables y*. So 

fc+£ 

Ih (01 v 02)0 ~ V 3 ^>- 

»=1 

is -i0i. 

If 77 G [0](6»), then 77 = and [0i](0) = 0. By induction hypothesis 2 \= e -.01, 
i.e., I ^ -i0i. 

If error g [0](0), then either |0](6») = {9} or [0](6») = 0. In the former 
case [0](0) = {de} 1 so [0i](#) = 0. By induction hypothesis 2 \=$ ->0i, i.e., 
J |= (->0i)# <-> (e), since (e) is vacuously true. In the latter case 9 G [0i](#), so 
by induction hypothesis 2 \=$ 0i, i.e., I |= (-i0i)0 <-> falsum. 

is 3a; 0i. 

If ?7 G [0](#), then 77 e i}#0P y ([0i{x/?/}](6>)) for some fresh variable y. So 
either (if y is not in the domain of 77) 77 G [0i{a;/y}](#) or for some j7~-term 
s we have 77 l±l {y/s} G [0i{x/y}] (6>). By induction hypothesis in the former 
case 2 \=r! <p\{x/y} and in the latter case 2 \= V ti){ y /s} ^{x/y}- In both cases 
2 |= 3y (cpi{x/y}r]), so, since y is fresh, 1 |= (3y 0i{a;/y})7? and consequently 
2 \= (3x 0i)?7, i.e., 2 \= v 3x 0i. 

If error [0](0), then error [0i{x/y}] (0), as well, where y is a fresh 
variable. By induction hypothesis 

k 

i=l 
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where 

l4>x{x/yW) = {%,..,%} (3) 

and for i G [l..fc] is a sequence of variables that appear in the range of rji. 

Since y is fresh, we have 2 |= 3y {<f)i{x/y}9) <-> (Ely ^{rc/yD^ and X |= 
(3y ^{z/y})!? <-> (3i 0i)6>. So (|) implies 

fc 

i=l 

But for i G [l.Jfc] 

since if y/s G 7jj, then the variable y does not appear in s. So 

k 

I h (3x <f> x )6 «-» \/ 3 yi 3y{DROP y { Vi )). (4) 

i=l 

Now, by (|) 

pi = {DROP y (e m ), . . .,DROP y (9vk)}- 

But y does not occur in 0, so we have for z G [l..fc] 

DROP y (6r)i) = 9DROP y (r) % ) 

and consequently 

[3x 0x1(6) = {6DROP y (r}i), . . ., 6DROP y (r] k )}. 
This by virtue of (||) concludes the proof. □ 

Informally, (i) states that every computed answer substitution of <p9 validates 
i t. It i s useful to point out that (ii) is a counterpart of Theorem 3 in Clark 



[Cla78|. Intuitively, it states that a query is equivalent to the disjunction of its 
computed answer substitutions written out in an equational form (using the (rj) 
notation). In our case this property holds only if error is not a possible outcome. 
Indeed, if [s = ij(0) — {error}, then nothing can be stated about the status of 
the statement T |= (s = t)9. 

Note that in case error g 1 [<£](#), (ii) implies (i) by virtue of Note 0. On the 
other hand, if error G [<£[(0), then (i) can still be applicable while (ii) not. 

Additionally existential quantifiers have to be used in an appropriate way. 



The formulas of the form 3y(?y} also appear in Maher [Mah8£] in connection 
with a study of the decision procedures for the algebras of trees. In fact, there 
are some interesting connections between this paper and ours that could be 
investigated in a closer detail. 
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6 Conclusions and Future Work 



In this paper we provided a denotational semantics to first-order logic formulas. 
This semantics is a counterpart of the operational semantics introduced in Apt 



and Bezem [AB99 . The important difference is that we provide here a more 
general treatment of equality according to which a non-ground term can be 
assigned to a variable. This realizes logical variables in the framework of Apt 
and Bezem AB99|. This feature led to a number of complications in the proof 
of the Soundness Theorem 

One of the advantages of this theorem is that it allows us to reason about 
the considered program simply by comparing it to the formula representing its 
specification. In the case of operational semantics this was exemplified in Apt 
and Bezem [AB99] by showing how to verify non-trivial Alma-0 programs that 
do not include destructive assignment. 

Note that it is straightforward to extend the semantics here provided to other 
well-known programming constructs, such as destructive assignment, while con- 
struct and recursion. However, as soon as a destructive assignment is introduced, 
the relation with the definition of truth in the sense of Soundness Theorem [l] is 
lost and the just mentioned approach to program verification cannot be anymore 
applied. In fact, the right approach to the verification of the resulting programs 
is an appropriately designed Hoare's logic or the weakest precondition semantics. 

The work here reported can be extended in several directions. First of all, it 
would be useful to prove equivalence between the operational and denotational 
semantics. Also, it would interesting to specialize the introduced semantics to 
specific interpretations for which the semantics could generate less often an er- 
ror. Examples are Herbrand interpretations for an arbitrary first-order language 
in which the meaning of equalities could be rendered using most general uni- 
fiers, and the standard interpretation over reals for the language defining linear 
equations; these equations can be handled by means of the usual elimination 
procedure. In both cases the equality could be dealt with without introducing 
the error state at all. 

Other possible research directions were already mentioned in Apt and Bezem 
[AB99]. These involved addition of recursive procedures, of constraints, and pro- 
vision of a support for automated verification of programs written in Alma-0. 
The last item there mentioned, relation to dynamic predicate logic, was in the 



meantime extensively studied in the work of van Eijck |vE98| who, starting with 
Apt and Bezem [AB99|, defined a number of semantics for dynamic predicate 
logic in which the existential quantifier has a different, dynamic scope. This work 
was motivated by applications in natural language processing. 
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